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1 Introduction 

1.1 Context 

Trust and security management in distributed frameworks is known to be a 
non-trivial critical issue. It is particularly challenging in Service Oriented Ar- 
chitecture where services can be discovered and composed in a dynamic way. 
Implemented solutions should meet the seemingly antinomic goals of openness 
and flexibility on one hand and compliance with data privacy and other regu- 
lations on the other hand. We have demonstrated in previous works jSJ [2] 
that functional agility can be achieved for services with a message-level secu- 
rity policy by providing an automated service synthesis algorithm. It resolves a 
system of deducibility constraints by synthesizing a mediator that may adapt, 
compose and analyze messages exchanged between client services and having 
the functionalities specified by a goal service. It is complete as long as the secu- 
rity policies only apply to the participants in the orchestration and not on the 
synthesized service nor on who is able to participate. However security policies 
often include such non- deducibility constraints on the mediator. For instance 
an organisation may not be trusted to efficiently protect the customer's data 
against attackers even though it is well-meaning. In this case a client would 
require that the mediator synthesized to interact with this organization must 
not have direct access to her private data, which is an effective protection even 
in case of total compromise. Also it is not possible to specify that the media- 
tor enforces e.g. dynamic separation of duty, i.e., restrictions on the possible 
participants based on the messages exchanged. 

Since checking whether a solution computed by our previous algorithm sat- 
isfies the non-deducibility constraints is not complete, we propose in this paper 
to solve during the automated synthesis of the mediator both deducibility and 
non-deducibility constraints. The former are employed to specify a mediator 
that satisfies the functional requirements and the security policy on the mes- 
sages exchanged by the participants whereas the latter are employed to enforce 
a security policy on the mediator and the participants to the orchestration. 

Original contribution. We have previously proposed decision procedures 
22 , 2J for generating a mediator from a high-level specification with deducibility 
constraints of a goal service. In this paper we extend the formalism to include 
non-deducibility constraints in the specification of the mediator and provide a 
decision procedure synthesizing a mediator for the resulting constraint systems. 

Related works. In order to understand and anticipate potential flaws in com- 
plex composition scenarios, several approaches have been proposed for the for- 
mal specification and analysis of secure services |10l [5] . Among the works ded- 
icated to trust in multi-agent systems, the models closest to ours are [T2l ITS] 
in which one can express that an agent trusts another agent in doing or for- 
bearing of doing an action that leads to some goal. To our knowledge no work 
has previously considered the automatic orchestration of security services with 
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policies altogether as ours. However there are some interesting related attempts 
to analyze security protocols and trust management [171 [TT] . In [T7] the author 
uniformly models security protocols and access control based on trust man- 
agement. The work introduces an elegant approach to model automated trust 
negotiation. We also consider an integrated framework for protocols and policies 
but in our case i) policies can be explicitly negative such as non-disclosure poli- 
cies and separation-of-duty ii) we propose a decision procedure for the related 
trust negotiation problem Hi) we do not consider indistinguishability proper- 
ties. In security protocols are combined with authorization logics that can 
be expressed with acyclic Horn clauses. The authors encode the derivation of 
authorization predicates (for a service) as subprotocols and can reuse in that 
way the constraint solving algorithm from |19j to obtain a decision procedure. 
In our case we consider more general intruder theories (subterm convergent 
ones) but focus on negation. We conjecture that our approach applies to their 
authorization policies too. 

Our decision procedure for general (negative and positive) constraints extend 
[7] where negative constraints are limited to have ground terms in right-hand 
sides, and the deduction system is Dolev-Yao system [S], a special instance of 
the subterm deduction systems we consider here. In jT3] the authors study a 
class of contract signing protocols where some very specific Dolev-Yao negative 
constraints are implicitly handled. 

Finally one should note that the non deducibility constraints we consider 
tell that some data cannot be disclosed globally but they cannot express finer- 
grained privacy or information leakage notions relying on probability such as 
for instance differential privacy. 



Paper organization. In Subsection \1.2\ we introduce a motivating banking 
application and sketch our approach to obtain a mediator service. To our knowl- 
edge this application is out of the scope of alternative automatic methods. In 
Section [2] we present our formal setting. A deduction system (Subsection 2.2 1 
describes the abilities of the mediator to process the messages. The mediator 
synthesis problem is reduced to the resolution of constraints that are defined 
in Subsection [2] In Section [3] we recall the class of subterm deduction systems 
and their properties. These systems have nice properties that allow us to de- 
cide in Section [3] the satisfiability of deducibility constraints even with negation. 
Finally we conclude in Section [5] 



1.2 Synthesis of a Loan Origination Process (LOP) 

We illustrate how negative constraints are needed to express elaborated policies 
such as Separation of Duty by a classical loan origination process example. 
Our goal is to synthesize a mediator that selects two bank clerks satisfying the 
Separation of Duty policy to manage the client request. Such a problem is 
solved automatically by the decision procedure proved in the following sections. 
Let us walk through the specification of the different parts of the orchestration 
problem. 
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Formal setting. Data are represented by first-order terms defined on a signa- 
ture that comprises binary symbols for symmetric and assymetric encryptions 
(resp. {|_|} , {_} ), signature ({_} slg ), and pairing (pair). Given a public 

key k we write inv (fc) its associated private key. For example {a}^,^ is the 
signature of a by the owner of public key k. For readability we write a.b.c a 
term pair (a, pair (6, c)). The binary symbol rel expresses that two agents are 
related and is used for defining a Separation of Duty policy. A unary symbol g 
is employed to designate participants identity in the "relatives" database. 

Client and clerks. The client and the clerks are specified by services with 
a security policy, specifying the cryptographic protections and the data and 
security tokens, and a business logic that specify the sequence in which the 
operations may be invoked. These are compiled into a sequence of protected 
messages each service is willing to follow during the orchestration (Fig. [I] and [2]). 

Client C wants to ask for a loan from a service P, but for this he needs to 
get an approval from two banking clerks. He declares his intention by sending 
to mediator M a signed by him message containing service name P and the 
identity of the client g(C). The mediator should send back the names of two 
clerks A and B who will evaluate his request. The client then sends to each 
clerk a request containing amount Amnt. his name C and a fresh key which 
should be used to encrypt decisions. Each request is encrypted with a public key 
of the corresponding clerk (pk(A) or pk(B)). Then the mediator must furnish 
the decisions (R a and Rb) of two clerks each encrypted with the proposed key 
Nk and also their signatures. Finally, the client uses these tokens to ask his loan 
from P, where pk(P) is a public key of P. 

Clerk A receives a request to participate in a LOP which is conducted by 
mediator M. If he accepts, he returns his identity and public key. Then Clerk 
receives the client's request for a loan to evaluate: amount Amnt, client's name 
C and a temporary key K for encrypting his decision. The last is sent back 
together with a signature certifying the authenticity of this decision on the 
given request. 

The client's non-disclosure policy is given in Fig. [2] and is self-explanatory. 
Let us explain the services' non-disclosure policy. The Clerk's decision (its last 
message) should be unforgeable, thus, it should not be known by the Mediator 
before it was sent by the Clerk (first non-disclosure constraint of Fig. [IJ. The 
role clerk played by A can be used by the mediator only if the constraint ^g(A) 
is satisfied, showing that A is not a relative with any other actor of the protocol, 
as client and the other clerk (second non-disclosure constraint of Fig. [TJ . 

Goal service. In contrast with the other services and clients, the goal service 
is only described in terms of possible operations and available initial data. 

Initial data. Beside his private/public keys and the public keys of potential 
partners (e.g. pk (P)) the goal service has access to a relational database 
re\(g(a),g(c)),re\(g(b),g(c)),. . . for storing known existing relations be- 
tween agents to be checked against conflict of interests. 
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Clerk's (A) communications^] Client's (C) communications: 1 



* => A 
A => M 
M => A 
A M 



request. M 

g(A). P k (A) 

{Amnt.C.K} pHA) 

mi(A 1 RespA , K , C, Amnt) 



Non-disclosure constraints: 

1. M cannot deduce the fourth 
message before it is sent by A. 

2. M cannot deduce g(A) before 
the second message is sent by 
A. 

Figure 1: Clerk's communications 
and non-disclosure constraints 



l -^}inv(pfc(C)) 



C M : {g(C).loav. 
M =*> C : A.B 
C =S> M : m 2 (A, Amnt). m 2 (B, Amnt) 
M => C : m 3 (A,R a ).m 3 (B,R b ) 
C => P : m A (pk(P),A,B,R a ,R b ) 

Non-disclosure constraints: 

1. M cannot deduce the amount 
Amnt. 

2. M cannot deduce A's decision 

3. M cannot deduce B's decision 

Rb- 



Figure 2: Client's Communications 
and non-disclosure constraints 



Composition rules 


Decomposition rules 


x,y -> 


pair (x, y) 


pair (x, y) — > x 






pair(x,y) -> y x,rel(x,y) -> y 


x,y -> 


{|»|}y 


y, {|s|}y -> x y,rel(x,y) -> x 


2/ 




inv (y) , {x} y x 


x, inv (y) -> 







Figure 3: Deduction system for the LOP example. 



Deduction rules. The access to the database as well as the possible operations 
on messages are modeled by a set of deduction rules (formally defined 
later). We anticipate on the rest of this paper, and present the rules 
specific to this case study grouped into composition and decomposition 
rules in Fig. [3] 



Mediator synthesis problem. In order to communicate with the services 
(here the client, the clerks and the service P), a mediator has to satisfy a 
sequence of constraints expressing that (i) each message m expected by a service 
(denoted ?m) can be deduced from all the previously sent messages m' (denoted 
\m') and the initial knowledge and (ii) each message w that should not be known 
or disclosed (denoted \\w and called negative constraint) is not deducible. 

The orchestration problem consists in finding a satisfying interleaving of the 
constraints imposed by each service. For instance, clerk's and client's constraints 
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extracted from Fig. [T] and Fig. [2] are: 

Client(C) = \ M {g(C).loan.P}Z (Kc) ? M A.B \ M m 2 (A, Amnt). m 2 (B, Amnt) 
? M m 3 (A,R a ).m 3 (B,R b ) \\ M Amnt \\ m Ra \\mRb 
! P m 4 (pk (P) , A, B, R a , R b ) 

Clerk(A) = Irequest.M \ M g{A) l M g(A).pk{A) ? M {Amnt.C.K} pk{A) 
t|M m i(A RespA, K, C, Amnt) \m1TIi(A, RespA, K, C, Amnt) 

If it exists our procedure outputs a solution which can be translated automat- 
ically into a mediator. Note, for example, that without the negative constraint 
\ g{A) a synthesized mediator might accept any clerk identity and that could 
violate the Separation of Duty policy. 



2 Derivations and constraint systems 

In our setting messages are terms generated or obtained according to some 
elementary rules called deduction rules. A derivation is a sequence of deduction 
rules applied by a mediator to build new messages. The goal of the synthesis is 
specified by a constraint system, i.e. a sequence of terms labelled by symbols 
!,? or t], respectively sent, received, or unknown at some step of the process. 



2.1 Terms and substitutions 

Let X be a set of variables, J 7 be a set of function symbols and C a set of 
constants. The set of terms T is the minimal set containing X, C and if 
t\,...,t k £ T then f(t%, . . . ,t&) £ T for any / £ T with arity k. The set 
of subterms of a term t is denoted Sub(t) and is the minimal set containing t 
such that f(ti, . . . , t n ) £ Sub(i) implies t\, . . . , t n £ Sub(t) for / £ T . We de- 
note Vars (t) the set X n Sub(i). A term t is ground is Vars (i) = 0. We denote 
T g the set of ground terms. 

A substitution a is an idempotent mapping from X to T ■ It is ground if it 
is a mapping from X to Tg ■ The application of a substitution a on a term t is 
denoted ter and is equal to the term t where all variables x have been replaced by 
the term xo~. We say that a substitution a is injective on a set of terms T, iff for 
all p, q £ T pa = qa implies p = q. The domain of a (denoted by dom (a)) is set: 
{x £ X : xa =/= x}. The image of a is img (cr) = {xct : a; € dom (cr)}. Given two 
substitutions a, S, the substitution aS has for domain dom (cr) U dom (S) and is 
defined by xa8 — (xa)8. If dom (cr) H dom (6) — we write cr U (5 instead of aS. 

A unification system U is a finite set of equations jj5j =? c/i}i<»<„ where 
Pi, qi £ T ■ A substitution cr is an unifier of ?7 or equivalently satisfies U iff for 

1 We have employed the following abbreviations for messages: 

' mi (A,Resp,K,Ct,S) = {h(A.S.Ct.Re Sp )}^ v(pk{A)y {\Resp\} K 
m 2 {A,S) = {S.C.N k } pk{A) 
m 3 (A,R) = m 1 (A,R,N k ,C,Amnt) 
m i (K ,A,B,R 1 ,R 2 ) = {Amnt.C.A.R 1 .B.R 2 } K .rn 3 {A,R 1 ).m 3 {B,R 2 ) 
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all z = 1, . . . , n, pi(T = qi(T. Any satisfiable unification system U admits a most 
general unifier mgu(E/), unique modulo variable renaming, and such that for 
any unifier a of U there exists a substitution r such that a = mgu (U) t. Wlog 
we assume in the rest of this paper that Vars (img (mgu (U))) C Vars (U), i.e., 
the most general unifier does not introduce new variables. 

A sequence s is indexed by [1, . . . , n] with n £ N. We write \s\ the length 
of s, the empty sequence, s[i] the ith element of s, s[m : n] the sequence 
s[m], . . . , s[n] and s, s' the concatenation of two sequences s and s' . We write 
e £ s and E C s for, respectively, 3z : s[z] = e and Ve G E, e £ s. 

2.2 Deduction systems 

The new values created by the mediator are constants in a subset C moc i of C. 
We assume that both C mo d and C \ C mo d are infinite. Given l\, . . . ,l n ,r £ T, 
the notation Zi, . . . , Z„ — > r denotes a deduction rule if Var(r) C 1J™ =1 Var(^). 
A deduction is a ground instance of a deduction rule. A deduction system is a 
set of deduction rules that contains a finite set of deduction rules in addition to 
all nonce creation rules — > n (one for every n £ C mc d) and all reception rules 
?i (one for every t £ T). All rules but the reception rules are called standard 
rules. The deduction system describes the abilities of the mediator to process 
the messages. In the rest of this section we fix an arbitrary deduction system 
V. We denote by I -*» r any rule and I — > r any standard rule. 

2.3 Derivations and localizations 

A derivation is a sequence of deductions, including receptions of messages from 
available services, performed by the mediator. Given a sequence of deductions 
E = (k ^> ri)i=i,...,m we denote (i) the set {rj : j < i}. 

Definition 2.1 (Derivation). A sequence of deductions D = (/j -*> r^)^!,...^ 
is a derivation if for any i G {1, . . . , to}, ^ C (i — 1). 

Given a derivation £> we define Nexto(i) = min({|D| + 1} U {j : j > 
i and D[j] =?tj}). The explicit knowledge of the mediator is the set of terms 
it has already deduced, and its implicit knowledge is the set of terms it can 
deduce. If the former is K we denote the latter Der(X). A derivation D is a 
proof of s e Der(K) if ?r e D implies r £ K, and D[|-D|] = I -*> t. Thus, we 
have: 

Der(i<:) = {t : 3D derivation s.t. ?r £ D implies reK, and D[\D\] = I -> t} 

2.4 Constraint systems 

Definition 2.2 (Constraint system). A constraint system S is a sequence of 
constraints where each constraint has one of three forms (where t is a term): 

1. It, denoting a message reception by an available service or a client, 

2. It, denoting a message emission by an available service or a client, 
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! S: 


?ti ^2 !i 3 


?i 4 !* 5 h *e 


?t 7 j 




«(,iV=l j 


a(5) = (ij 






fho = rz 






i D: h 


-* t'i l 2 -* r 2 ?r 3 Z 4 ->• r 4 


'5 *" 5 ?r 6 Z 7 -»■ r 7 


l 8 -> r 8 l 9 -> r 9 \ 



Figure 4: A constraint system and a compliant derivation 



3. \t, a negative constraint, denoting that the mediator must not be able to 
deduce t at this point; 

and that satisfies the following properties for any 1 < i < \S\: 

Origination: if S[i] =\U then Vars (U) C Uj<i Vars ({t^ : S[j] =7tj}); 

Determination: if S[i] — \\U then Vars(^) C \J. Vars({tj : S[j] =?tj}). 

Origination means that every unknown in a service's state originates from 
previous input by the mediator. Determination means that negative constraints 
are on messages determined by a service's state at the end of its execution. 

In the rest of this paper S (and decorations thereof) denotes a constraint 
system. An index i is a send (resp. a receive) index if S[i] =\t (resp. S[i] =?i) 
for some term t. If ii, . . . , ik is the sequence of all send (resp. receive) indices in 
S we denote Out (5) (resp. In (5)) the sequence S[ii], . . . ,S[ik]- We note that 
the origination and determination properties imply Var(5) = Var(In(<S)). Given 
1 < i < \S\ we denote prevj(i) to be max({0} U {j : j < i and S\j\ =\tj}). 

Definition 2.3 (Solution of a constraint system). A ground substitution a is a 
solution of S, and we denote a |= <S, if dom (a) = Var(S) and 

1. if S[i] —It then to G Der({tj(T : j < prev 5 (i) and S[j] =ltj}) 

2. if S[i] = \\t then to £ Der({^(7 : j < prev 5 (i) and S[j] =Hj}) 

Definition 2.4 (Compliant derivations). Let o be a ground substitution with 
dom(cr) = Var(S). A derivation D is (S, cr)-compliant if there exists a strictly 
increasing bijective mapping a from the send indices of S to the set {j : D[j] =?r} 
such that S[i] —It implies D[a(i)] —Ito. 

An example of (S, cr)-compliant derivation is shown in ??. Since a sequence 
of receptions is a derivation, we note that for every ground substitution o with 
dom (o) = Var(In(5)) there exists at least one compliant derivation D. 

Definition 2.5 (Proof of a solution). Let o be a ground substitution. A deriva- 
tion D is a proof of o \= S , and we denote D,o,a\- S , if: 

1. D is (S,o) -compliant with the mapping a and 

2. if S[i] —It there is j < Next£)(a(prev 5 (i))) such that D[i] = I -*> to and 

3. if S[i] = \\t then to Der({t,£r : j < prev 5 («) and S[j] =Hj}). 
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In ??, if o is a solution of S and, for example, t\o = r 2 , t 2 o ^ Der(0), 
t A o = r 4 , t 6 o $l Der({r 3 , r 6 }) and t 7 o — r 8 then D is a proof of o |= 5. 
Let us prove that if a |= <S then there is a proof D, cr, a h 5. 

Definition 2.6 (Maximal derivation). Le£ T be a finite set of terms and a be a 
ground substitution with dom (cr) = Var(T). A derivation D is (T, o) -maximal 
iff for every t £ Sub(T), to G Der(Ro (i)) implies to € (Nextu(z) — 1). 

First we prove that maximal derivations are natural proof candidates of 
o^S. 

Lemma 1. Let a be a ground substitution with dom (cr) = Var(S) and D be a 
(S, a) -compliant (Sub(S) , o) -maximal derivation. Then o |= S iff for all i 

• if S[i] =lt then there exists j < Next£>(a(prev 5 (z))) : D[j] = I -*> to and 

• if S[i] — \\t then for all j < NextD(a(prev 5 (i))) : D[j] ^l -*>to. 

In the next lemma we show that any (T, cr)-maximal derivation D may be 
extended into a (T', cr')-maximal derivation for an arbitrary extension T',o' of 
T, o by adding into D only standard deductions. 

Lemma 2. Let o be a ground substitution with dom (it) = Var(<S). Let T\,T 2 
be two sets of terms such that T\ C T 2 , and o\,o 2 be two substitutions such 
that dom (ox) = Var(Ti) and dom (o 2 ) = Var(T 2 ) \ Var(Ti). If D is a (Ti,<ti)- 
maximal (5, cr)- compliant derivation in which no term is deduced twice by a 
standard rule, then there exists a (T 2l o\ U o 2 ) -maximal (S ,o)- compliant deriva- 
tion D' in which no term is deduced twice by a standard rule such that every 
deduction whose right-hand side is in Sub(Ti)ai occurs in D' iff it occurs in D. 

Proof. Let ii,. . . be the indices of the non-standard rules in D, let D[ij] = 
?ti j , and let for < j < k Dj = D[ij+1 : — 1] with i a = and « fe+1 = |Z?| + 1. 
That is, D = D , , D\, lt i2 ,D 2 , . . .\t ikl Dk- Noting that dom (cri)ndom (o 2 ) = 
let o' = o\ U o 2 . 

For each t € Sub(T 2 ) such that to' € Der(t il , . . . ,t ik ) let i t be minimal 
such that to' e Der(t il , . . . , t it ), and let be a proof of this fact, and E t be 
a sequence of standard deductions obtained by removing every non-standard 
deduction from . 

For < j < k let Dj be the sequence of standard deduction steps Dj,E Sl , . . . , E Sp 
for all s m G Sub(T2)cr' \ Sub(Ti )o' such that i Sm = j in which every rule of 
E Sl , . . . , E Sp that deduces a term previously deduced in the sequence or for 
some m < j deduced in D' m or in D[i m ] is removed. 

Let D' — D' , ?t il ,D' 1 , . . . , ?t ik ,D' k . We have deleted in each E® only deduc- 
tions whose right-hand side occurs before in D' , and thus D' is a derivation. 
Since the D[ contains only standard deductions, we can see that D' is (S, o)- 
compliant. 

Since D is (Ti, (Ti)-maximal and no term is deduced twice in D we note 
that, for t e Ti, no standard deduction of to x from a sequence Dj is deleted. 
Furthermore we note that standard deductions of terms T 2 o 2 that are also in 
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T\<j\ are deleted by construction and by the maximality of D. Thus a deduction 
whose right-hand side is in Sub(T 1 )cr 1 is in D' iff it occurs in D. 

By construction D' is (T 2 , er')-maximal and no term is deduced twice by 
standard deductions. □ 

Taking T\ = 0, T 2 = Sub(<S), and a 2 — o~, Lemma [2] implies that for every 
substitution a of domain Var(<S) there exists a (<S, cr)-compliant (Sub(<S), a)- 
maximal derivation D. By Lemma[l]if a \= S then D is a proof of a |= S. Since 
the converse is trivial, it suffices to search proofs maximal wrt T 2 Sub(<S). 



3 Subterm deduction system 
3.1 Definition and main property 

We say that a deduction system is a subterm deduction system whenever each 
deduction rule which is not a nonce creation or a message reception is either: 

1. X\, . . . , x n — > f{xxi ■ ■ ■ , x n ) for a function symbol /; 

2. li, ...,/„—> r for some terms lx, . ■ ■ , l n , r such that r E U"=i Sub(Zj). 

A composition rule is either a message reception, a nonce creation, or a rule 
of the first type. A deduction rule is otherwise a decomposition rule. Reacha- 
bility problems for deduction systems with a convergent equational theory are 
reducible to the satisfiability of a constraint system in the empty theory for a 
deduction system in our setting |161 1 1 3] . If furthermore the equational theory 
is subterm [5] the reduction is to a subterm deduction system as just defined 
above. 

Now we show that if D,a, a h S, a term s € Sub(-D) is either the instance 
of a non- variable subterm of Out (S) or deduced by a standard composition. 

Lemma 3. Let a be a ground substitution such that a |= S. If D is a proof of 
a \= S such that no term is deduced twice in D by standard rules and s is a term 
such that s £ Sub(L>) and s (fc (Sub(0ut(5)) \ X)o~ then there exists an index i 
in D such that D[i] = I — » s is a composition rule and s (fc Sub(Rc (i — 1)). 

Proof. First we note that by definition of subterm deduction systems for any 
decomposition rule I — > r we have a) r £ Sub(^), and b) for any composition 
rule I->rwe have I C Sub(r) and Sub(r) \ Sub(7) = {r}. 

Let D be a proof of a \= S, and let i be minimal such that D[i] = l r -*> r 
with s € Sub(r). Since l r C Rd (i — 1), the minimality of i implies s <G Sub(r) \ 
Sub(/ r ). 

Thus by a) D[i] cannot be a decomposition. 

If D[i] =lr then by the (S, cr)-compliance of D we have <S[a -1 (i)] =\t with 
to = r. We have s G Sub(r) = Sub(tcr) = Sub(t)cr U Sub(Vars (t) a). 

If s € (Sub (Out (S*)) \ X)a we are done, otherwise there exists y G Vars (t) 
with s G Sub(ycr). By the origination property, there exists k < a~ l (i) such 
that S[k] =lt' with y G Vars(t'). Since D,a,a h 5 and fc < a _1 (i) there 
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exists j < i such that D[j] = lj — > t'a. The minimality of i is contradicted by 
s £ Sub(t' a). 

Therefore, D[i] = l r — > r is a standard composition rule. As a consequence, 
Sub(r) \ Sub(/ r ) = {r}. Since s £ Sub(r) \ Sub(/ r ), we finally obtain s = r. □ 

3.2 Locality 

Subterm deduction systems are not necessarily local in the sense of [18_. How- 
ever we prove in this subsection that given a, there exists a finite extension T 
of Sub(5) and an extension a' of a of domain Var(T) and a (T, cr')-maximal 
derivation D in which every deduction relevant to the proof of a \= S is liftable 
into a deduction between terms in T. Let us first precise the above statements. 

Definition 3.1 (Localization set). A set of terms T localizes a derivation D = 
(li -*» ri)i<i< m for a substitution a of domain Var(T) if for every 1 < i < 
m if D[i] is a standard rule and there exists t € Sub(T) \ X such that to = 
Ti, there exists t±, . . . ,t n € Sub(T) such that {ti<7, . . . , t n a} C R D (i — 1) and 
ti, . . . ,t n t is the instance of a standard deduction rule. 

First, we prove that for subterm deduction systems, every proof D of a \= S 
is localized by a set T of DAG size linear in the DAG size of S. 

Lemma 4. If a is a ground substitution such that a \= S there exists T D 
Sub(5) of size linear in |Sub(5)| ; a substitution r of domain Var(T') \ Var(<S) 
and a (T, aUr) -maximal and (5, o~)-compliant derivation localized by T for aUr. 

Proof. By Lemma [2] applied with T\ = 0, T2 = Sub(<S), o\ = 0, o~2 = cr, and Dq 
the (S, cr)-compliant derivation that has no standard deductions, there exists a 
(Sub(5), er)-maximal (S, cr)-compliant derivation D in which no term is deduced 
twice by a standard deduction. From now on we let Tq = Sub(<S). 

Let {li —t' ^i} 1<i <„ be the set of decompositions in D, and {(Li —> T i )} 1<i< 
be a set of decomposition rules and ground substitutions such that for all 
1 < i < n we have L^t^ — > RiTi = li — > r^. Since no term in D is deduced 
twice by a standard deduction, by ?? we have n < |Sub(Out(S'))|. 

Modulo variable renaming we may assume that i 7^ j implies dom(ri) n 
dom(Tj) = 0, and thus that r = U"=i T i IS defined on T x = U"=i(Sub(-Li) U 
Sub(i?i)). Note that the size of Ti is bounded by M x |Sub(0ut(5))|, where M 
is the maximal size of a decomposition rule belonging to the deduction system. 

Let T = To U T\ and, noting that these substitutions are defined on non- 
intersecting domains, let a' = a U r. By construction |T| < (M + 1) x |Sub(6>)|. 

By Lemma [2] there exists a (S, er)-compliant derivation D' which is (T,a')- 
maximal and such that every deduction of a term in T a that occurs in D also 
occurs in D' and no term is deduced twice in D' by a standard deduction. 

Let / — > r be a deduction in D' which does not appear in D. Since D is 
(To, <r)-maximal we have r ^ Sub(To) '; an d thus r ^ Sub(Out( l S))cr. Since no 
term is deduced twice in D' by Lemma [3] this deduction must be a composition. 

Let us prove D' is (T, cr')-localized. By definition of composition rules, every 
composition that deduces a term to-' with t E Sub(T) \ Var(T) has a left-hand 
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side <icr', . . . , tkcr' with t\, . . . , tf. G Sub(T) and t\, . . . , tk — >• t is an instance of a 
composition rule. By the preceding paragraph every decomposition in D' occurs 
in D and thus by construction has its left-hand side in T\a' which was previously 
built in D and is an instance of some Li — > Ri such that Sub(Li U {Ri}) C T\ C 
T. 

Thus every deduction whose right-hand side is in (Sub(T) \ Var (T))a r has 
its left-hand side in Sub(T)cr', and thus D' is localized by T for a'. □ 

We prove now that to solve constraint systems one can first guess equalities 
between terms in T and then solve constraint systems without variables. The 
guess of equalities is correct wrt a solution a if terms in T that have the same 
instance by a are syntactically equal. We characterize these guesses as follows. 

Definition 3.2 (One-to-one localizations). A set of terms T one-to-one localizes 
a derivation D for a ground substitution a if a is injective on Sub(T) and T 
localizes D for a. 

In Lemma [7] we prove that once equalities between variables are correctly 
guessed there exists a one-to-one localization of a maximal proof D. 

Lemma 5. Let T be a set of terms such that T = Sub(T), a be a ground 
substitution defined on Vars (T), U = {p =? q : p, q G T A pa = qa} be a unifi- 
cation system and 9 be its most general idempotent unifier with Vars (img (9)) C 
Vars (U). Then for any term t, t9a = to . 

Proof. Let us show Vx £ Vars (T) , xa = x9a. Note that this trivially holds if 
x9 = x. Thus we consider case x9 =/= x. 

Since U contains all equations p =? p for p G Sub(T) = T, we have Sub(T) = 
Sub([7). From the idempotency of 9 (Vy G Vars (U) ,y99 — yff), we get Vy G 
Vars (img (9)) ,y9 — y. 

As o~ is evidently a unifier of U , there exists a substitution r such that a = 9t 
Therefore, yo = y9r — yr, i.e. ya — yr for all y G Vars (img (9)). Thus, for any 
x G Vars (T), x9a — x9t = xa. 

Consequently, for any term t we have ta = t9a. □ 

Lemma 6. Let U be a unification system and 9 = mgu (U) an idempotent 
most general unifier with Vars (img (9)) C Vars (t7). Then Vp G Sub(img(#)) 
3q G Sub(f7) :p = q9. 

Proof. The case where p G X is trivial, since Vars (img (a)) C Vars (U) and 
we can take q — p. Otherwise, suppose that p G Sub(a;#|a; G dom(0)) \ X 
is such that \/q G Sub(f7) p ^ q9. Let z be a fresh variable. Let 9' = 
{x i y (x9)\ p ^ z : x G dom(6>)}. Let us denote the height of a term t by ht(i), 
and a subterm of t at position / by t[l] and the set of all positions in t by t\\. 
Let us prove that Vu, v G Sub([/) u9 = v9 u9' = v9' . 

• If u, v G X then the statement is true by definition. 
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• If. w.l.o.g.. u G X but v X. Then for any I G v[] we have (u6)[l] = (v[l])6. 
Since v[l] G Sub(t/) we get (u9) [I] ^ p (as we took such p that V<? G Sub(£7) 
p 7^ q6>), and therefore, («[/])$ ^ p. Thus, (^0)| p< _,z = v9'. Therefore, 
vff = {u9)\ p ^ z = (v9)\ p ^ z = v9>. 

• If u — f{ui, . . . , Uk)Av — g(v-\_, . . . , v m ) then / = g, m — k and for alH < k 
we have = UiO. It is enough to prove that v$' — u.fi' . Let us prove 
this case by induction on min(ht (it) ,ht (v)). For the basis of induction, 
we have that either Uj G X or vi G A" (otherwise the basis is not minimal) 
and we have proved already that Vi9 = u L 9 =>■ viO' = Ui& . Suppose 
the statement is true for min(ht (u) , ht (v)) < n. For min(ht (u) , ht (u)) = 
n + 1 we have ht (ui9) < n, ht (z^#) < n and UiO = for all i. Then by 
induction supposition and two cases considered before we have ui& = Vi9' . 

Thus, Vu,v G Sub(U)u9 = v9 vff = v9', i.e. 9' is a unifier of U. 

Moreover, for all x G dom (9) , x9 — (x9')j, where 7 = {z 1— > p}. 



Since is a most general unifier, we have p € X which contradicts to p G 
Suh(x9\x e dom(9))\X. 



Lemma 7. Let S be a constraint system, a be a ground substitution such that 



Then there exists a set of terms T, a substitution r of domain Var(T) \ 
Var(5), a substitution 9 and a (S9, a) -compliant derivation D such that 

• D is (T, a U t) -maximal and one-to-one localized by T for uUt 

• a U r = 9{a U r) 

• Sub(S6») C T 

• T and 9 of size linear in |Sub(<S)| 

Proof. Under the same assumptions, by Lemma |4j there exists T D Sub(5) of 
size linear in |Sub(<S)| and t of domain Var(T ) \ Var(5) such that there exists 
a (TbjC U r)-maximal and (5, cr)-compliant derivation D which is localized by 
To for the same substitution a' = a U r. 

Let U = {t = 7 t' : t,t' G Sub(T ) and ta' = t'a'}. The unification system U 
has a unifier a' and thus has a most general solution 9. By ??, a' = 9a' . 

Let T = Sub(T )6>. 

Since Sub(S) C T we have Sub(56») C Sub(T 6»). Since 9 is a most gen- 
eral unifier of U and Sub(W) = Sub(T ) we have Sub(T 6») = Sub(T )6l by ??. 
This implies (i) Sub(56') C T, (ii) 9 is of linear size on |Sub(T )| and thus on 
|Sub(<S)|, and (Hi) T is of linear size on |Sub(5)|. Moreover, as a' = 9a' we 
have Sub(T)cr' = Sub(To)a' and thus from D is (To, cr')-maximal follows D is 
(T, cr')-maximal. 

Assume there exists t,t' G Sub(T) such that ta' — t'a' but t 7^ t' . Since 
T = Sub(T 6») there exists t , f G Sub(T ) such that t 9 ^ t' Q 9 but t 9a' = t^cr'. 
From a' = 9a' we have an existence of to,t' Q G Sub(T ) such that t 9 7^ t' Q 9 but 
toe' = t' a'. This contradicts the fact that 9 satisfies U. 



□ 



a \=S. 
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Finally, from D is (S, cr)-compliant and a = 9a we have D is (S9,a)- 
compliant. □ 

3.3 Milestone sequence 

In addition to retrace the deduction steps performed in D we want to track 
which terms relevant to S are deduced in T, and in which order. 

Definition 3.3 (Milestone sequence). Let T be a set of terms and a be a ground 
substitution. We say that T is the (T, a) -milestone sequence of a derivation 
D = (li ri)i<i< m if T = t\, . . . , t n is a sequence of maximal length in which 
each ti is either of the form — > t or of the form It, with t e Sub(T) and there 
exists a strictly increasing function a : {1, . . . , n} — > {1,..., m} such that for 
every 1 < i < n we have: 

1. iff[i] =?t then D[a(i)\ =?ta; 

2. ifT[i] =— > t then D[a{i)\ = li — > to is a standard deduction rule; 

Lemma 8. Let a \= S , T D Sub(<S) and a' be an extension of a on Vars(T). 
Let D be (T, a r )-maximal derivation one-to-one localized by T for a' . Let T be a 
(T, a')-milestone sequence. Then for any i for any x € Vars (r[i]j there exists 
j < i such that T[j] =— )• x. 

Proof. If x G Vars then there exists corresponding deduction D[j] that 

deduces term T[i]cr' . Then by ?? there exists k < j such that D[j] deduces by 
a standard rule xa'. From the injectivity of a follows that x is the only term of 
Sub(T) having a' image equal xa' . Thus, by definition of milestone sequence, 
there exists m < i such that T[m] =— >• x. □ 



4 Deciding constraint systems 

From now we suppose that the considered subterm deduction system con- 
tains a rule Xi,x 2 — > f(xi,x 2 ), where / is a function symbol with arity 2 that 
does not occur in any other rule. 

Theorem 1. Let a such that a \= S, T such that T D Sub(5) and a' an 
extension of a on Vars(T). Let D be a (T, a') -maximal derivation one-to-one 
localized by T for a' in which no term is deduced twice by a standard rule. 
Then there exists a solution r of S of size polynomial in |Sub(T)|. 

Proof. First let us define a replacement of a term q by term p in t denoted as 
t\q^, p as follows: t\ q ^, p is the term is obtained from t by simultaneous replacing 
all occurrences of q in t by p. For a substitution a = {x t x : x G dom (a)} 
we define o-\ q ^ p = {x >->• (t x \ q ^ p ) : x G dom(cr)} 
Let T be a (T, cr')-milestone sequence for D. 
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Let M = mi, . . . , m n be the maximal increasing sequence such that for any 
i = l,...,n, T[mj] =lt mv We put also m = and m n+ i = \T\ + 1. Let 
Ti = T[m 4 + 1 : to 1+ i - 1]. 

Goal. We will prove the existence of a ground substitution r', set of terms 
T' D T and a derivation D' which is (<S, r)-compliant, (T', r)-maximal (where 
r = T'lvars(S) is °f a linear size on Sub(T)) and is one-to-one localized by T' 
with r' such that its (T, r')-milestone sequence coincides with T. 

If it is proved, by ?? we can show that t \= S. 

Build T'. Let X be the set of variables of T whose cr'-instance are not 
derivable from the empty knowledge. By ?? each variable x of Vars ( T ) appears 



first as — > x in T. Therefore, we may put X = {x%, . . . , x u } — Vars \TJ \ 

| a; :— > x € 7b j. Let for each x £ X, let x be a new fresh variable (corresponding 

to x) and let X = {x : x ^ X}. Finally, we put T = T U X. 
Build t' . Let t 1 be a ground substitution defined as follows: 

• for any x € X, xt' is a nonce n x and xt 1 = f(t mi T',n x ), where — > x 
appears first in (note that by ?? for any y € Vars(f m4 ), — > y appears 
first time at position before m, in T and thus r' is correctly defined); 

• for any y G Vars (f ^j , yr' = n y ; 

• 2 "or any z € Vars (T) \ Vars , zt' = a z , where a z is a fresh constant 
from A\C me & not appearing in Sub(T). 

We can see that xt is of polynomial size on |Sub(<S)| for any x £ Vars (T). 
Show t' is injective ON Sub(T'). Suppose the contrary let p,q £ Sub(T') be 
a pair with minimal size of pr' and having pr' — qr' , while p =/= q. If neither p 
nor q is a variable, then this contradicts the minimality of pr' (we can choose 
subterms of p and q satisfying the choice criteria). If both are variables, then 
it is not possible by the construction of r'. W.l.o.g. let p £ X and q X. The 
case where pr' is a nonce or another constant is impossible; thus pr' — f(U . , n x ) 
and q = f(u, x) (since by construction for every nonce n x there exists only one 
variable x, such that xt' = n x and n x (fc Sub(T')). But again, by construction 
(note that x was a fresh variable), the only term in Sub(T') having 
subterm is x, thus q £ X: contradiction. 

Build a replacement to pass from t' to a'. Let 8 be the replacement 
S = \{xT'<-ixcr' :xeVara(T)L Then t'8 = a' on Vars(T). Moreover, from the 
property we have just proven follows that for any t £ Sub(T'), we have (tr')8 — 
t(r'8) and for t £ Sub(T), we have (tr')8 = to' . Note also that (xt')S = xt' for 
any x £ X. 

Build (S, t)-compliant derivation D' localized by T' with t'. Let 
D' Q =—$■ n Xl n Xu . Let D[ be a sequence of rules of length \T\ such that 

for any i < \ f |: 



2 We note that in practice Vars (T) \ Vars (f \ = if 



we see how T is constructed in ??. 
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• if f[i] =lt then D[ [i] =?tr'; 

• if T[i] =— > x and x G X then D[[i\ — n x ,t m .T' — > xt', where — > x appears 
first in Tj\ 

• if f[i] =-> y and y e Vars (t ) then D'Ji] =-> yr'; 

• if T[z] =— > t and t ^ X then since Z? is one-to-one localized by T, there 
exists t\,...,tk such that ?t, G T[l : z — 1] or — ^ G T[l : z — 1] for 
j = 1, . . . , k and ti, . . . , tk —¥ t is a deduction rule. Thus, we put D[ [i] = 

t!T',...,t k T' ->tr'. 

We define D' = D' , D[. Note that R d , q (\D' \) = Xt' and for any i, R D[ (i) = 
T[l : i]r'. Thus, by the construction D' is a derivation which is (5, r)-compliant 
and localized by T' for t' . Moreover, it is one-to-one localized since r' is injective 
on Sub(T'). 

We have by construction of D' that its (T" , r')-milestone sequence is T' =— > 
xi, ... x„,T . Moreover, |D'| = |T'|. 

Show that D' is (T', t')-maximal. That is, for any t G Sub(T') if tr' e 
Der(R r ,/ (i)) then tr 1 e Re (Next^(i) - 1). 

The case t € X is trivial, since Xt' is deduced at the very beginning of D' . 

Suppose that there an exists index j and term t G Sub(T) such that tr' € 
Der(i TOl r', . . . ,t mj r') but tr' £ Re (u + m^+i — 1), i.e. tr' is not deduced be- 
fore the next to j non-standard rule in D' . In this case, to' Dev(t mi a', . . . , t mj a'), 
otherwise by maximality to' would be deduced before (j + l)-th non-standard 
rule of D and by construction, tr' would also appear in D' before (j + l)-th 
nonstandard rule of D' . 

Let j be such a minimal index. Note that Vars (t) C Vars (rj , otherwise 

by construction tr' would contain some fresh constants from A \ C me d and thus 
would not be derivable from t^r', . . . ,ti.r' . Let m' (resp. m) be the maximal 
index such that D'[l : m'] (resp. D[l : m}) contains exactly j non-standard rules. 
Thus, tr' € Der(Re (m 1 )) and to' Der(R/3 (m)). Note that tr' <£ R D , (mf) 
(otherwise it would imply to' G Rd (™))- Let E' be a minimal sequence of 
standard rules such that D'[l : m'],E' is a derivation ending with a standard 
deduction of tr'. W.l.o.g., we suppose that E'[l : \E'\ — 1] does not deduce terms 
from Sub(T)r' (otherwise, if iV is deduced in E'[l : \E'\ - 1] with t' G Sub(T) 
then (i) either t'o' G Der(R£> (m)) and by maximality of D t'o' G Rd {rn) 
which contradicts the minimality of E' (ii) or t'o' ^ Der(Ro (m)) which implies 
t'o 7 ^ Rd (to); thus by construction t'r' ^ Re (m') and we could chose t' 
instead of t). 

Let S' be a constraint system obtained from S by removing all constraints 
after j-th !-constraint and removing all t| -constraints. By construction, D'[l : 
m'],E' is a proof of r |= S' and thus we can apply ??, i.e. all rules of E'[l : 
\E'\ — 1] are compositions. 

Suppose that t is a variable. Note that tr' is not a nonce, otherwise by defi- 
nition of t', t G T and thus to' G Rd (m). Therefore, tr' — f '(t mk T / , n t ) , where 
— > t first appears in Tk- Since t is a variable, the last rule of E' is also a compo- 
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sition, more precisely t mk T',n t — > f(t mk T',n t ). If k < j, by construction of r', 
to' must be in R D (to). Thus, k > j. Since D'[l : m'],E' is a derivation, either 
t mk T ' € Re' {\E'\ — 1) or t mk r' G R^* (to'). The former contradicts the choice 
of E'. The latter case implies t mk a' e R/j (to) C Der(t TOl cr', . . . ,i TO .cr') and 
thus, as j < k we have that Der(i mi cr', . . . , t„ lfc cr') = Der(i mi cr', . . . ,t mk _ 1 a'). 
Thus, Tfc must be empty, otherwise it contradicts the maximality of D and that 
no term is deduced twice by a standard rule in D. This contradicts that — > £ 
appears first in TV 
Thus, t i X. 

Let us build a sequence of rules E such that = E'[i]S and show that 
D[\ : to], Z?q, -E is a proof of icr' € Der(£ mi cr', . . . , t m .a'). 
Let us show that -E'[i]<5 is a rule. 

• If £?'[z] —— > o is a nonce generation, then o ^ img(r') due to the mini- 
mality of E' and since all variables of T" that are mapped to nonces by t' 
are deduced in D' before the first non-standard rule. Thus oS = o and we 
have E[i) =— > o 

• If E'[i] is another composition, then E'[i] = t'^, . . . ,t' v — > h(t[, . . . , t' v ). 
Since t ^ X and _E'[1 : \E'\ — 1] does not deduce terms from Sub(T)r' 
we have h(t[, . . . ,t' v ) ^ xt' for any x e Vars (T'). Thus, h^, t' v )5 = 
h^S, . . . , t' v 5) and we have t[S, . . . , ^<5 — > ^(t^, . . . , t' v S) is a composition 
rule. 

• If E'[i] is a decomposition, then since no decomposition rule contains /, 
the value of xt' (which is a fresh nonce or has / as a root symbol) may be 
replaced with any other term and we still obtain an instance of the same 
decomposition rule, i.e. _E'[i]<5 is an instance of a decomposition rule. 

As noted above, since Vr € Sub(T), (rr')<5 = rcr' and D' Q S = D' by construc- 
tion we have R D > (m') S C R D (to) U {xt' : x e X}. Thus, D[l : m], D' , E is a 
derivation deducing tr'S = to' , i.e. tcr' e Der(t il cr', . . . ,ti a'). Contradiction. 

Therefore, D' is (T', T')-maximal. 

Conclusion. Since Sub(S) C T', and t' is injective on Sub(T'), we have 
that by construction of D', for any term t € Sub(<S), ta' is deduced before j-th 
non-standard rule of D (resp. deduced in D) if and only if tr' is deduced before 
j-th non-standard rule of D' (resp. deduced in D'). Therefore, since a |= S and 
D is (S, cr)-compliant and (Sub(5), cr)-maximal and since D' is (S, r)-compliant 
and (Sub(5), r)-maximal we may use twice ?? and obtain that r satisfies <S. □ 

Corollary 1. Let S be a constraint system. S is satisfiable, if and only if there 
exists a solution a' of S with polynomial size w.r.t. |Sub(5)|. 

Proof. (<=) is trivial, since a' ^ S. Consider (=>). Let a \= S. By ?? there 
exists a set of terms T, a substitution 9 both with the size linear in |Sub(5)| and 
an extension 7 of cr and (T, 7)-maximal (<S>(9, cr)-compliant derivation D one-to- 
one localized by T for 7. We also have 7 — 9j (which implies cr = 9a). Thus cr 
satisfies S9. 
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From the same lemma we have Sub(iS#) C T . By ?? there exists a substitu- 
tion r of size polynomial in |Sub(T)| (and consequently, polynomial in |Sub(<S)|) 
such that r |= SO. From this we have Or \= S. Moreover, since both and t are 
of polynomial size on |Sub(<S)|, a' = Or is also of polynomial size on |Sub(<S)| 



From the previous result we can directly derive an NP decision procedure 
for constraint systems satisfiability: guess a substitution of polynomial size in 
|Sub(<S)| and check whether it satisfies S in polynomial time (see e.g. [1]). 

5 Conclusion 

We have obtained the first decision procedure for deducibility constraints with 
negation and we have applied it to the synthesis of mediators subject to non- 
disclosure policies. It has been implemented as an extension of CL-AtSe [5T] 
for the Dolev-Yao deduction system. On the Loan Origination case study, 
the prototype generates directly the expected orchestration. Without negative 
constraints undesired solutions in which the mediator impersonates the clerks 
were found. More details, including problem specifications, can be found at 



: //cassis . loria. fr/Cl-Atse. As in ^ |S] our definition of subterm de- 



duction systems can be extended to allow ground terms in right-hand sides of 
decomposition rules even when they are not subterms of left-hand sides and the 
decidability result remains valid with minor adaptation of the proof. A more 
challenging extension would be to consider general constraints (as in [3]) with 
negation. 
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